HOMEVULNERABILITIESCVE-2026-31444
CRITICAL

CVE-2026-31444

Published: April 22, 2026· Updated: Apr 27, 2026

9.8
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:4.8th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix use-after-free and NULL deref in smb_grant_oplock()

smb_grant_oplock() has two issues in the oplock publication sequence:

1) opinfo is linked into ci->m_op_list (via opinfo_add) before

add_lease_global_list() is called. If add_lease_global_list()

fails (kmalloc returns NULL), the error path frees the opinfo

via __free_opinfo() while it is still linked in ci->m_op_list.

Concurrent m_op_list readers (opinfo_get_list, or direct iteration

in smb_break_all_levII_oplock) dereference the freed node.

2) opinfo->o_fp is assigned after add_lease_global_list() publishes

the opinfo on the global lease list. A concurrent

find_same_lease_key() can walk the lease list and dereference

opinfo->o_fp->f_ci while o_fp is still NULL.

Fix by restructuring the publication sequence to eliminate post-publish

failure:

- Set opinfo->o_fp before any list publication (fixes NULL deref).

- Preallocate lease_table via alloc_lease_table() before opinfo_add()

so add_lease_global_list() becomes infallible after publication.

- Keep the original m_op_list publication order (opinfo_add before

lease list) so concurrent opens via same_client_has_lease() and

opinfo_get_list() still see the in-flight grant.

- Use opinfo_put() instead of __free_opinfo() on err_out so that

the RCU-deferred free path is used.

This also requires splitting add_lease_global_list() to take a

preallocated lease_table and changing its return type from int to void,

since it can no longer fail.

NVD Source

Technical Analysis

CVE-2026-31444 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 9.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (5)

Quick Facts

CVE IDCVE-2026-31444
CVSS Score9.8 / 10
SeverityCRITICAL
CISA KEVNo
EPSS (30d)0.02%
PublishedApr 22, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31444 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.